Completing Stage 1 of ISO/IEC 27001 is all about preparation. The process evaluates whether your Information Security Management System (ISMS) is documented and structured in alignment with ISO/IEC 27001 standards including policies, procedures, and the scope of your controls.
Clients can use this audit to understand their current situation and where improvements are needed before proceeding. This stage is critical for documenting and laying the groundwork for the ISMS to be integrated into real-life scenarios.
Before Stage 2 of Your ISO/IEC 27001: ISMS Implementation and Addressing the Gaps From Stage 1
After Stage 1, the priority is preparing for Stage 2 by ensuring the ISMS is fully implemented following ISO/IEC 27001 requirements. Any issues identified in Stage 1 must be addressed before proceeding. The focus now shifts from documentation to operational execution.
Key next steps include:
- Conducting a gap analysis of any areas yet to be implemented
- Prioritizing improvements and ensuring all Stage 1 areas of concern are remediated
- Assigning responsibilities and timelines
These actions help pave the way for a smooth Stage 2 audit.
What to Expect in the Stage 2 Audit
Stage 1 concerns constructing a strong foundation for the ISMS. Stage 2 evaluates the effectiveness of the implementation (hence why it must be fully implemented beforehand). Auditors examine how your organization applies its policies and whether your controls are effective and implemented within the set standards.
This involves interviews with ISMS stakeholders, testing the ISMS against the ISO/IEC 27001 requirements, and evaluating all applicable Annex A controls to ensure they are appropriately justified for inclusion or exclusion, and implemented accordingly.
Risk Management and Assessment
ISO/IEC 27001 places a strong emphasis on risk assessment. During Stage 2, auditors will review how your organization identifies, evaluates, and responds to risks. You’ll want to:
- Revisit and refine your risk assessment process
- Document any changes to your risk landscape
- Show how your risk strategies align with current threats
A thoughtful and proactive approach to risk demonstrates your commitment to protecting information assets.
Implementation of Controls
In Stage 1, you presented your Statement of Applicability outlining which Annex A controls you’ve deemed relevant. For Stage 2, those controls must be implemented and supported by evidence. Ensure your documentation shows how these controls are applied and maintained across your organization.
Training and Employee Awareness
Your ISMS is not just guidelines for the IT team; it is everyone’s responsibility. A well-informed team is vital to the success of your ISMS. Auditors will want to see that employees understand their role in maintaining security.
- Everyone needs to understand the basics: how to spot a phishing email, or what to do if there is a vulnerability in security measures.
- You can either provide comprehensive information security training or launch awareness campaigns on policies and incident reporting.
These initiatives help embed security into your organizational culture.
Internal Audit
Internal audits are a key tool for continuous improvement because they allow you to uncover and resolve issues before the external audit.
Ensure your internal audit program is:
- Objective, thorough, and regularly scheduled
- Well documented with clear evidence of findings
- Supported by timely corrective actions and lessons learned
How Do I Know I’m Ready for Stage 2?
There’s no set timeframe between Stage 1 and Stage 2. The only requirement in that regard is that you’ve completed one full cycle of your ISMS and have implemented the applicable controls.
You’re ready for the ISO/IEC 27001 Stage 2 audit if you can demonstrate:
- Successful remediation of all Stage 1 areas of concern
- Implementation of each ISMS process
- Evidence of all applicable Annex A controls
- Ongoing risk assessment and internal audit activity
- Staff training and awareness
Stage 2 is your opportunity to prove that your ISMS is not only well-designed but also effectively integrated into daily operations. Beyond certification, this process helps build a culture of security and trust—a culture that protects your business and supports long-term success.
Have questions about getting ready for Stage 2? We’re here to help.
